Sign in With Apple - Access Token

tunjifw · November 29, 2019, 4:03am

After a successful login in which my Web App receives the TokenResponse - containing the access_token, expirations time, id_token, refresh_token, token_type - and sends the access token down to the client to make subsequent calls to my Web App, how do I validate the access token and the identity of the user? Should the access token be the Authorization Bearer token or should the identity_token be the Authorization Bearer token? Do the steps below make sense? or do I have something mixed up?

When the user first signs in on the client, Apple ID server sends back the Client ID, Identity Token, Authorization Code
Client app sends those 3 credentials to the Web API
The Web API FIRST checks the validity of the Identity Token, NEXT, if verified, calls Apple ID servers (https://appleid.apple.com/auth/token) to get the TokenResponse (contains access_token, expiration time, id_token, refresh_token, token_type)
Web API stores the refresh_token on the DB
Web API sends the the access_token to client.
Client sends access_token on all subsequent calls to Web API

eaceto · November 30, 2019, 1:07pm

Hello, how are you?

As described in this doc page (Access Tokens), Identity Tokens are meant for application use only. So when securing your API you should send Access Token in the Authorization header.

So should validate the access token as described here (in Golang) for example: Auth0 Go API SDK Quickstarts: Authorization

Is the access token you received from Auth0 login a valid JWT? Did you check that?

Regards,

Ezequiel Aceto

tunjifw · December 1, 2019, 3:39am

Hey,
Appreciate the response but this is regarding the new Sign In With Apple API - Apple Developer Documentation.

I noticed that auth0 created a few blog posts on Sign In With Apple and was hoping the auth0 team could provide some insight on my question above. But I think I figured it out. After the user is authenticated, the client app receives the credentials, sends the credentials to my server. My server will verify the identity_token provided by Apple’s server, I’ll have my server create a refresh token, send it down to the client and then the next time the client calls my server, I’ll verify the refresh token and then send down an access token.

I won’t do steps 4, 5, 6 and the TokenResponse step in 3.

tankarshah.promact · September 4, 2020, 6:04am

I found some answer few days back and it worked. Totally conceptual response provided

For code:
in Swift file use this method:
Auth0
.authentication()
.login(appleAuthorizationCode: authCode, fullName: appleIDCredential.fullName, scope: “openid profile email”, audience: “YOUR AUDIENCE URL”).start { result in
switch(result) {}})

It will 100% work

konrad.sopala · September 4, 2020, 9:15am

Thanks a lot for sharing it with the rest of community!

system · September 19, 2020, 9:15am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to validate token from using "Login Using the Authorization Code Flow" Help	2	1670	December 21, 2022
how do we authenticate the server site? Help serverside , server	3	4111	March 2, 2018
Does Auth0Client.LoginAsync Validate the Identification and Access Tokens on the Client Side? Help auth0-sdk	3	4250	September 3, 2019
Manage and refresh access tokens for identity providers Help refresh-tokens , idp	2	8001	December 2, 2018
Verifying access_token inside API Help access-token	2	4179	March 2, 2018

Sign in With Apple - Access Token

Related Topics